[nsp-sec] 9001: New UDP amplification port?
Borja Marcos
borjamar at sarenet.es
Thu Jul 1 05:45:22 EDT 2021
> On 1 Jul 2021, at 11:35, Dobbins, Roland <Roland.Dobbins at netscout.com> wrote:
>
>
>
>> On Jul 1, 2021, at 4:17 PM, Borja Marcos <borjamar at sarenet.es> wrote:
>>
>> Something seems to be going on with port 9001. There is a sudden interest on it, I have two /23 darknets and I see
>> an odd scan with udp/9100 as destination.
>
> I’ll ask my collegues to look into our UDP honeypot, as well, and will grovel through our DDoS attack data to see if we caught any of it.
I am checking my darknets.
In 2021, Except for two scans sending either 1-byte packets with just a “0x00" or some 4-byte packets with “00010203” all I see are SIP
packets.
2021-03-05: 205.185.114.55 sent 4 byte packets (“0x00010203”) and then it switched to the 1-byte “0x00” ones.
2021-06-14: 80.82.76.6 sent 1 byte packets (“0x00”).
Might be a coincidence though?
I’ll try to see how can I capture some “attack” packets in case they come back.
Borja.
More information about the nsp-security
mailing list